https://community.cisco.com/t5/network-security/self-signed-certificate-change-rsa-public-key-signature/m-p/2581551#M920549 <P>Hi</P><P>&nbsp;</P><P>My 1801 router (IOS 15x) is using the original self signed certificate (1024) with an signature algorithm MD5. I would like to change the cert to a 2048 key length , with a hash of SHA1 or better but I'm unsure how to do this.</P><P>Should I just generate new keys or would I be better creating a new self-signed cert?&nbsp; What is the procedure &amp; explicit commands (CLI) to do this?</P><P>&nbsp;</P><P>&nbsp;</P><P>Many thanks in advance.</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Bob</P><P>&nbsp;</P> Fri, 21 Feb 2020 13:20:03 GMT ms4561 2020-02-21T13:20:03Z https://community.cisco.com/t5/network-security/self-signed-certificate-change-rsa-public-key-signature/m-p/2581551#M920549 <P>Hi</P><P>&nbsp;</P><P>My 1801 router (IOS 15x) is using the original self signed certificate (1024) with an signature algorithm MD5. I would like to change the cert to a 2048 key length , with a hash of SHA1 or better but I'm unsure how to do this.</P><P>Should I just generate new keys or would I be better creating a new self-signed cert?&nbsp; What is the procedure &amp; explicit commands (CLI) to do this?</P><P>&nbsp;</P><P>&nbsp;</P><P>Many thanks in advance.</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Bob</P><P>&nbsp;</P> Fri, 21 Feb 2020 13:20:03 GMT https://community.cisco.com/t5/network-security/self-signed-certificate-change-rsa-public-key-signature/m-p/2581551#M920549 ms4561 2020-02-21T13:20:03Z https://community.cisco.com/t5/network-security/self-signed-certificate-change-rsa-public-key-signature/m-p/2581552#M920550 <P>Remove the old certificate and RSA key.</P><P>Create a new RSA key with modulus 2048. Then a new certificate - it will use the new stronger private key you just created.</P><P><SPAN style="font-family:courier new,courier,monospace;">no crypto pki trustpoint &lt;existing certificate name&gt;<BR />crypto key zeroize rsa<BR />crypto key generate rsa modulus 2048 label &lt;name for new rsa key&gt;<BR />ip http secure-server</SPAN></P><P>(The last command will automatically generate a new self-signed certificate.)</P> Thu, 20 Nov 2014 15:52:58 GMT https://community.cisco.com/t5/network-security/self-signed-certificate-change-rsa-public-key-signature/m-p/2581552#M920550 Marvin Rhoads 2014-11-20T15:52:58Z https://community.cisco.com/t5/network-security/self-signed-certificate-change-rsa-public-key-signature/m-p/2581553#M920551 <P>Hi Marvin</P><P>&nbsp;</P><P>Thank you for reply. I would like to clarify one point, I use the cert for ssh connections to router &amp; don't&nbsp; want to enable secure-server (as I don't use this service) on the router. Is there another command to create a new certificate without enabling/disabling secure-server.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Bob</P> Fri, 21 Nov 2014 07:33:23 GMT https://community.cisco.com/t5/network-security/self-signed-certificate-change-rsa-public-key-signature/m-p/2581553#M920551 ms4561 2014-11-21T07:33:23Z https://community.cisco.com/t5/network-security/self-signed-certificate-change-rsa-public-key-signature/m-p/2581554#M920552 <P>Sure, the secure-server is the quickest and easiest method but you can create the new key, define the trustpoint manually and enroll the certificate that way.</P> <P>Below are the commands. (You can of course call the key, trustpoint, O&nbsp;and CN values whatever locally significant names make&nbsp;sense for you.)</P> <PRE style="margin-top: 20px; margin-bottom: 20px; padding: 15px; font-size: 12px; font-family: 'Courier New', Courier, mono; line-height: 1.5em; color: rgb(0, 0, 0); overflow: auto; white-space: pre; border-style: dashed; border-color: rgb(204, 204, 204); background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;"> router(config)#crypto key generate rsa label router-rsa modulus 2048 The name for the keys will be: router-rsa % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 10 seconds) router(config)#</PRE> <PRE style="margin-top: 20px; margin-bottom: 20px; padding: 15px; font-size: 12px; font-family: 'Courier New', Courier, mono; line-height: 1.5em; color: rgb(0, 0, 0); overflow: auto; white-space: pre; border-style: dashed; border-color: rgb(204, 204, 204); background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;"> router(config)#crypto pki trustpoint router-ca router(ca-trustpoint)#enrollment selfsigned router(ca-trustpoint)#subject-name O=Test,CN=www.router.com router(ca-trustpoint)#rsakeypair router-rsa</PRE> <PRE style="margin-top: 20px; margin-bottom: 20px; padding: 15px; font-size: 12px; font-family: 'Courier New', Courier, mono; line-height: 1.5em; color: rgb(0, 0, 0); overflow: auto; white-space: pre; border-style: dashed; border-color: rgb(204, 204, 204); background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;"> router(config)#crypto pki enroll router-ca % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created router(config)#</PRE> Mon, 24 Nov 2014 13:47:06 GMT https://community.cisco.com/t5/network-security/self-signed-certificate-change-rsa-public-key-signature/m-p/2581554#M920552 Marvin Rhoads 2014-11-24T13:47:06Z